RPZ and negative answers

Vernon Schryver vjs at rhyolite.com
Wed Apr 3 23:13:27 UTC 2013


> From: Chris Buxton <clists at buxtonfamily.us>

> If a name exists in the response policy, and also exists in the real
> Internet namespace, the value from the policy is returned. But if it
> doesn't exist out on the Internet, then the value is not returned --
> an NXDOMAIN (or SERVFAIL, or whatever) is returned instead.
>
> I've known this for a while but haven't understood why it is thus.
> Today, it has become a problem for me. If I set a policy of "this
> name gets response X", I expect that policy to be used rather than
> "this name gets response X unless it doesn't exist out on the
> Internet or can't be resolved due to an error."

RPZ stands for "response policy zone" and concerns rewriting responses
instead of queries.  The answer section of an NXDOMAIN or SERFVAIL
response does not contain a domain name that could trigger rewriting.

Rewriting queries instead of responses would fail to rewrite CNAME
chains.

Even when the unrewritten response is an error such as NXDOMAIN, an
RPZ action can be triggered by the name or address of any NS RR that
is authoritative for the response and that is found in glue or otherwise.

Previous versions of the RPZ mechanism in BIND required ./configure
settings to enable rpz-nsip and rpz-nsdname rules.  They are enabled
by default in future released versions of BIND as well as the speed-up
patches that can found by following the  link labeled "Patch files for
BIND9" on http://www.redbarn.org/dns/ratelimits


Vernon Schryver    vjs at rhyolite.com


More information about the bind-users mailing list